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Before HOWARD B. BLANKENSHIP, CAROLYN D. THOMAS, and 
JAMES R. HUGHES, Administrative Patent Judges. 

BLANKENSHIP, Administrative Patent Judge. 

DECISION ON APPEAL 

STATEMENT OF THE CASE 

This is an appeal under 35 U.S.C. § 134(a) from the Examiner's final 
rejection. Appellants appeal the rejection of claims 11-15 and 38-42, which 
are all of the remaining claims in the application. We have jurisdiction 
under 35 U.S.C. § 6(b). 

We reverse. 
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Invention 

Appellants' invention relates to techniques for providing limited 
access to data stored in records of databases. Abstract. 

Representative Claim 
11. A method of controlling access to records stored in a database, 
said method comprising: 

identifying a password that is associated with one or more users 
of said database; 

defining a calculation expression for said identified password, 
wherein said calculation expression is a variable expression defined 
based on at least one field of data used in a plurality of records stored 
in said database, wherein said calculation expression can be evaluated 
at least partly based on said at least one field of data used in said 
plurality of records, wherein said at least one field of data is a variable 
which may have different values for each of said plurality of records, 
thereby allowing access to each individual record of said plurality of 
records to be selectively controlled based on at least one value of said 
at least one field of data stored for each of said plurality of records of 
said database, and wherein said calculation expression defines access 
privileges of said one or more users with respect to at least one 
operation that may be requested to be performed by said one or more 
users on said plurality of records of said database; 

receiving a request to perform said at least one operation on 
said plurality of records of said database, said request being identified 
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as a request made by said one or more users associated with said 
password; and 

evaluating said calculation expression for each of said plurality 
of records, based on said at least one field of data, when said request 
has been received, wherein said evaluating comprises: (a) determining 
at least one value for said at least one field of data stored for a first 
record of said plurality of records, (b) using said at least one value as 
input to said calculation expression to evaluate said calculation 
expression for said first record, and (c) determining a first result for 
said calculation expression based on said evaluation of said 
calculation expression for said first record, wherein said first result 
effectively indicates whether to grant access to said first record. 

Prior Art 

Bapat 6,236,996 Bl May 22, 2001 

R. Elmasri, et al., Fundamentals of Database Systems, p. 718 
(Addison Wesley 3rd ed., 2000) ("Elmasri"). 

Examiner's Rejections 

Claims 11 and 38 stand rejected under 35 U.S.C. § 112, second 
paragraph as being indefinite for failing to particularly point out and 
distinctly claim the invention. 

Claims 11-15 and 38-42 stand rejected under 35 U.S.C. § 103(a) as 
being unpatentable over Bapat and Elmasri. 
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Claim 11 Is Representative 
We will consider the two grounds of rejection in turn and discuss 
claim 11 as representative. Claims 11 and 38 are the only independent 
claims on appeal, each containing the limitations in controversy. 

ISSUES 

(1) Have Appellants shown that the Examiner erred in finding that 
"identifying and evaluating the next records" is an omitted essential step that 
renders claim 1 1 indefinite? 

(2) Have Appellants shown that the Examiner erred in finding that 
the combination of Bapat and Elmasri teaches "evaluating said calculation 
expression for each of said plurality of records" as recited in claim 11? 

PRINCIPLES OF LAW 
The Examiner bears the initial burden of presenting a prima facie case 
of unpatentability. In re Oetiker, 977 F.2d 1443, 1445 (Fed. Cir. 1992). 

ANALYSIS -- § 112, SECOND PARAGRAPH 
The Examiner finds that claim 1 1 recites receiving a request to 
perform at least one operation on said plurality of records, and evaluating a 
calculation expression for each of said plurality of records. The Examiner 
submits that the "evaluating" from lines 23 through 29 of the claim is 
performed only for a "first record." The Examiner concludes that the claim 
omits the step of "identifying and evaluating the next records" as disclosed 
in instant Figure 10. Ans. 4, 23. 
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However, the rejection fails to explain why the step of "identifying 
and evaluating the next records" is an essential step for the subject matter of 
claim 1 1 . The rejection, at best, merely points out that material described by 
the drawings is not expressly set forth in the open-ended "comprises" 
portion of the "evaluating" step of the claim. 

Thus, we agree with Appellants to the extent that the rejection fails to 
demonstrate that claim 11 is indefinite under 35 U.S.C. § 112, second 
paragraph. 

FINDINGS OF FACT 

1. Bapat discloses an access control database that has access 
control objects collectively storing information specifying access rights by 
users to specified sets of the managed objects. Abstract. 

2. The format of each row in the database tables preferably 
includes a field called the "fully distinguished name" (FDN) of a managed 
object followed by columns of data: Data 1, . . . , Data N. Preferably, the 
FDN for each row represents the tree path (through the managed object tree) 
for the managed object whose information is stored in that row. The tree 
path for an object may be represented in the form "/a/b/c/ . . ." where a, b, 
and c indicate nodes along the tree path. For example, an FDN can look like: 

/systemid="sysr7owner="accompany"/devicetype="router'7. . . 

The FDN operates as the primary key to the data stored in the table. 
Using security mechanisms, the FDN is used as the key that determines 
which managed objects that a particular user is permitted to access or 
modify. Fig. 11 A; col. 19, 11. 23-40. 
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3. Access control for a particular user on a particular managed 
object is defined by a permissions table or tables. Preferably, the present 
invention has an access Grant table and an access Deny table. Each table 
stores permission entries. Col. 26, 11. 10-14. 

4. A permission entry 1502, 1504 is tuple having three fields, as 
shown below: 

(user name, object name, operation type). 

Although Figures 15 A and 15B show the object name in each 
permission entry as a single word, preferably the object name is the FDN for 
a managed object. 

The user name is the name of the user (or the group of users) whose 
access rights are represented by the permission entry, the object name 
identifies the managed object to which the permission entry applies, and the 
operation type is the operation that the specified user is being granted or 
denied with respect to the specified object. The operation type can be a 
select, delete, insert or update operation. Figs. 15A and 15B; col. 26, 11. 28- 
41. 

5. Enforcement of Access Control Rules based on permission 
tables is done according to the following algorithm, which assumes that an 
operation is requested by user Ul: "1. . . . 4. Check the Grant table to see if 
User Ul has specific granted items, and grant access if the current operation 
matches the operation specified in the Grant table." Col. 27, 1. 45 to col. 28, 
1.3. 

6. Step 1614 represents the action of the access control procedure 
404, which limits access to the management information stored in the set of 
database tables. The access control procedure uses the set of access rights 
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stored in the permissions table to determine which, if any, of the rows of 
data specified by the intercepted query are accessible by the user. Fig. 16 A; 
col. 29, 11. 37-43. 

ANALYSIS - § 103(a) 
The Examiner finds that "evaluating said calculation expression for 
each of said plurality of records, based on said at least one field of data, 
when said request has been received" as recited in claim 1 1 encompasses 
enforcing access control by checking a user name and a fully distinguished 
name (FDN) in a received SQL command to a row of a permission table 
containing the FDN and the user name. Ans. 7-8, 19-20. In particular, the 
Examiner finds that the FDN is a field of data (Ans. 15), the SQL command 
is a received request (Ans. 8), each row in the permission table is a 
calculation expression (Ans. 6), and the calculation expression is evaluated 
by checking the user name and FDN in the received command to a row of 
the permission table containing the FDN and the user name (Ans. 6-8, 19- 
20). 

Appellants contend that Bapat does not teach or suggest a single 
expression that can be evaluated to define access for multiple records. App. 
Br. 11-12. The Examiner responds that the phrase "evaluating a calculation 
expression multiple times" is not recited in claim 11. Ans. 20. However, 
claim 1 1 recites "evaluating said calculation expression for each of said 
plurality of records." The Examiner has not explained how the same 
calculation expression is evaluated "for each of said plurality of records" as 
recited in claim 1 1 . 
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Although Bapat discloses using the set of access rights stored in the 
permission table to determine which, if any, of the rows of data specified by 
an intercepted SQL request are accessible by the user, Bapat does this by 
matching the FDN for the object specified in the user's request with the 
FDN in a row of the permission table containing the user's name, then using 
the access rights in that row to grant or deny user access to the 
corresponding object in the database. FF 2-6. Bapat has not been shown to 
disclose comparing the same FDN in the user's request with the FDN for 
each of a plurality of records in the database. Therefore, Bapat does not 
teach "evaluating said calculation expression for each of said plurality of 
records" as recited in claim 1 1 . 

Therefore, the rejection fails to set forth a prima facie case of 
obviousness of the subject matter of claim 11. 

CONCLUSIONS OF LAW 

(1) Appellants have shown that the Examiner erred in finding that 
"identifying and evaluating the next records" is an omitted essential step that 
renders claim 1 1 indefinite. 

(2) Appellants have shown that the Examiner erred in finding that 
the combination of Bapat and Elmasri teaches "evaluating said calculation 
expression for each of said plurality of records" as recited in claim 11. 

DECISION 

The rejection of claims 11 and 38 under 35 U.S.C. §112, second 
paragraph as being indefinite for failing to particularly point out and 
distinctly claim the invention is reversed. 
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The rejection of claims 11-15 and 38-42 under 35 U.S.C. § 103(a) 
being unpatentable over Bapat and Elmasri is reversed. 

REVERSED 



msc 
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